10 November 2021

Microsoft’s November 2021 Patch Tuesday fixes over 50 bugs, two zero-days


Microsoft’s November 2021 Patch Tuesday fixes over 50 bugs, two zero-days

Microsoft has released its monthly batch of security updates that fix at least 55 vulnerabilities across a wide range of its products, including Windows and its components, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office ant others.

November 2021 Patch Tuesday also includes fixes for two zero-day flaws actively exploited in the wild. The two under-attack vulnerabilities impact Microsoft Exchange Server and Microsoft Excel products.

The Microsoft Exchange vulnerability (CVE-2021-42321) is described as an input validation error that exists due to insufficient validation of cmdlet arguments. A remote user can run a specially crafted cmdlet and execute arbitrary commands on the system.

“We are aware of limited targeted attacks in the wild using one of vulnerabilities (CVE-2021-42321), which is a post-authentication vulnerability in Exchange 2016 and 2019,” Microsoft said, adding that the bug affects on-premises Microsoft Exchange Server, including servers used in Exchange Hybrid mode.

"Our recommendation is to install these updates immediately to protect your environment," Microsoft urged.

The second zero-day flaw (CVE-2021-42292) resides in Microsoft Excel and allows a remote attacker to execute arbitrary code on the system with the help of a specially crafted Excel file.

The Windows maker has also fixed four publicly disclosed vulnerabilities not known to be exploited in cyberattacks:

CVE-2021-38631 - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

CVE-2021-41371 - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

CVE-2021-43208 - 3D Viewer Remote Code Execution Vulnerability

CVE-2021-43209 - 3D Viewer Remote Code Execution Vulnerability

The November Patch Tuesday updates also include fixes for high-risk flaws affecting Azure, Microsoft Edge, Windows Defender, Visual Studio and multiple Windows components.

Back to the list

Latest Posts

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024
Sophisticated malware campaign targeting end-of-life routers and IoT devices

Sophisticated malware campaign targeting end-of-life routers and IoT devices

A recent campaign targeted over 6,000 ASUS routers in less than 72 hours.
27 March 2024
Chinese APT groups target Southeast Asian nations in cyberespionage campaigns

Chinese APT groups target Southeast Asian nations in cyberespionage campaigns

The observed cyberattack employed phishing emails as the primary method of infiltration.
27 March 2024